Previous: vnc_generate_server, Up: vnc_generate_cert


3.10.6.3 Issuing client certificates

If the QEMU VNC server is to use the x509verify option to validate client certificates as its authentication mechanism, each client also needs to be issued a certificate. The client certificate contains enough metadata to uniquely identify the client, typically organization, state, city, building, etc. On the host holding the secure CA private key:

# cat > client.info <<EOF
country = GB
state = London
locality = London
organiazation = Name of your organization
cn = client.foo.example.com
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > client-key.pem
# certtool --generate-certificate \
           --load-ca-certificate ca-cert.pem \
           --load-ca-privkey ca-key.pem \
           --load-privkey client-key.pem \
           --template client.info \
           --outfile client-cert.pem

The client-key.pem and client-cert.pem files should now be securely copied to the client for which they were generated.